[English] No doubt the open source character of Android has become the favorite target of attackers across all mobile platforms. Nowadays there are plenty of exploits and trojans which we will learn in this article.Hemos analizado nueve conocidos troyanos para Android, que son:

For this analysis we have only studied the permissions that the application requests and we have visualized its code in order to understand the complexity of the trojan.
Note: some trojans contain real application code so the display may seem more complex than it really is.

The ADRD is a trojan with a moderate complexity uncovered in February 2011 that steals information from the phone (IMEI, Wi-Fi, hardware, etc.). This information is encrypted using DES and sent to a series of web pages.

Other characteristics of this Trojan are that it can receive search parameters to use in a well-known Chinese search engine, Baidu.com, to increase the (ranking) visits of a particular web page. It can also receive updates of the Trojan to install silently on the phone.

In figure 1 we can see the permissions this trojan requires for its operations. Some of these permissions are somewhat suspicious as the need to read contacts (READ_CONTACTS), receive messages from the system (RECEIVE_BOOT_COMPLETED), or modify parameters of the phone (MODIFY_PHONE_STATE) but none of these permissions have a high risk for which makes it more effective to go unnoticed.

We have also looked into code complexity (real app + trojan) and as shown in Fig. 2 is a Trojan rather simple to analyze. The apk contains two main packages (tat and xx.yyy). Tat is divided into two packages more (cascadeswallpaper.android and livewallpaper.dandelion) and contains the actual app code, while xx.yyy contains the trojan code.

Once achieved the goal of being root begins the second phase with the installation of a malicious application, SMSapp.apk, on the phone. This application enables the trojan to communicate with the command and control servers (C&C) using HTTP, and like other trojans steals phone information (IMSI, hardware, OS, etc.) that is sent to malicious web pages.

Analyzing the permissions (see Fig. 3) we can appreciate that some of them are dangerous as send SMS (SEND_SMS) and write SMS (WRITE_SMS). Other permissions are less suspicious but interesting nevertheless as record audio (RECORD_AUDIO), write contacts (WRITE_CONTACTS) or read SMS (READ_SMS).

When we visualize the application infected with the Trojan in Fig. 4 we can see a high complexity. A number of packages (com, jackpal.androidterm, javax, myjava.awt.datatransfer and org.apache.harmony) as well as a number of loose files (standalone classes) form the trojan code.

Trojan discovered in March 2011 with different variants. This Trojan also uses different phases be the first phase the execution of exploits to gain root. The analyzed version does not contain these exploits.

The second phase of this Trojan consists on installing another application, a.apk, which is used to steal information from the phone (IMEI and ISMI) that is sent to web pages that act as command centers (C&C). Other features of the Trojan are sending and reading SMS and the ability to receive updates of itself.

In the permissions analysis (Fig. 5) we see some hazardous permissions as sending SMS (SEND_SMS) and installation of packages (INSTALL_PACKAGES). Other permissions of interest for the Trojan are recording audio (RECORD_AUDIO), reading and writing browser history (READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS) and receive events from the system (RECEIVE_BOOT_COMPLETED).

Trojan discovered between May and June 2011, similar to other trojans formerly studied dividing its operation into phases. At first the Trojan uses two exploits (CVE-2009-1185 and CVE-2010-EASY), encrypted with AES, to obtain root privileges on the phone, but unlike other trojans uses up to three different methods to get root.

Once obtained root on the phone, the trojan steals information such as IMEI, hardware, OS, and Wi-Fi which is sent to a web page. With root permissions the trojan can install packages and in this case it also installs another trojan called “legacy” which makes the phone part of a botnet.

Looking at the permissions required by DroidKungFu (see Fig. 7) some should sound the alarm such as installing packages (INSTALL_PACKAGES), and resetting packages (RESTART_PACKAGES). Other interesting permissions are reading phone status (READ_PHONE_STATE) or changing the state of the Wi-Fi (CHANGE_WIFI_STATE).

Analyzing the code complexity of this Trojan (Fig. 8 ) we can identify three main packages (com, org, and uk.co.lilhermit.android.core). The com package contains the code for the trojan that is divided into two packages, google.ssearch and sansec.

The Geinimi is a sophisticated trojan uncovered in December 2010 that although it does not use exploits like other trojans is dangerous because it steals phone IMSI and IMEI information. Other features are sending localization information (geo-location), receive updates for itself and sending SMS.

Analyzing the permissions required by Geinimi (see Fig. 9) we can see an extensive list of necessary permissions for its operation. The permissions we have to draw attention to are sending SMS (SEND_SMS), resetting packages (RESTART_PACKAGES) and writing SMS (WRITE_SMS). Other permissions of interest to our analysis are access to the location of the phone (ACCESS_COARSE_LOCATION), read contacts (READ_CONTACTS), read SMS (READ_SMS), write contacts (WRITE_CONTACTS) and receive SMS (RECEIVE_SMS).

Despite the sophistication of Geinimi the truth is that is a fairly simple code analysis (see Fig. 10) distributed in two packages: admob.android.ads and dseffects.MonkeyJump2. Package dseffects.MonkeyJump2 contains another package, jump2, and loose files (standalone classes). Here is where you find the trojan code.

Trojan discovered in June 2011 and unlike other Trojans its infection focuses on Chinese users who have installed a custom ROM, limiting his dangerousness. jSMSHider uses an exploit to gain root but unlike other trojans this exploit does not attack the Android system but exploit a vulnerability in the digital signature of the ROMs. We can say that jSMSHider is a trojan different to that we have seen so far.

Once obtained root on the phone, the trojan installs another package, testnew.apk, making the phone part of a botnet. Now the Trojan can install new packages, communicate with several websites that act as the command centers (C&C) using DES to encrypt communications and open web pages silently without the user knowing.

Analyzing the permissions of Plankton, Fig. 13, stresses the reading of logs from the system (READ_LOGS). Other interesting permissions are the reading browser history (READ_HISTORY_BOOKMARKS), writing browser history (WRITE_HISTORY_BOOKMARKS), reading contacts (READ_CONTACTS) and reading phone status (READ_PHONE_STATE).

In the code analysis of the Trojan (Fig. 14) there are two main packages: com and org. Com is formed by crazypps.angry.birds.rio.unlocker and plankton packages. It is the former package where we find the trojan code.

The TrojanSMS was discovered in August 2010 and has the honor of being the first trojan for Android. It is a very simple trojan and his infection consists in sending SMS to Russians payment numbers (Premium) so it only affects users in Russia.

Trojan discovered in June 2011 with a moderate sophistication. This trojan turns the phone into a SMS relay for sending SMS silently. Other trojan features are the steal of information that is sent to command centers (C&C), listing installed applications and the ability to update itself.

In the code analysis of Crusewind, Fig. 18, we can see a main package, com.flashp, which is divided into a number of files and packages (bo, data, utils, task, http and xml). All these packages form part of the trojan code.

In this article we have analyzed different Android trojans that are amongst the most common infections and several times it Google had to delete them from the Android Market, but if a phone is infected it is the responsibility of the user to clean it.

Among the analyzed trojans we have seen how they steal phone information, use exploits to gain root, install more trojans to form part of botnets, send SMS or make calls and protect communications through secure channels. I would say a high variety of offensive techniques.

It is striking the number of trojans that are Chinese in origin, and especially the jSMSHider that is targeted on a number of particular users. Could it be that all these developments of offensive technologies are part of the Chinese Government cyber warfare program? What is clear is that Chinese attackers are very active.